Use authentication tokens for PM GitLab runner
Starting with GitLab 16, there is a new mechanism to authenticate the runners via authentication tokens, so use it instead. Older tokens and runners are also removed, as they are no longer used. With the new way of managing tokens, both the tags and the locked state are managed from the GitLab web page. See: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
This commit is contained in:
parent
dba11ea88a
commit
32c919d1fc
@ -1,9 +1,8 @@
|
|||||||
{ pkgs, lib, config, ... }:
|
{ pkgs, lib, config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
|
age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age;
|
||||||
age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age;
|
age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age;
|
||||||
age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
|
|
||||||
|
|
||||||
services.gitlab-runner = {
|
services.gitlab-runner = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -11,20 +10,14 @@
|
|||||||
services = let
|
services = let
|
||||||
common-shell = {
|
common-shell = {
|
||||||
executor = "shell";
|
executor = "shell";
|
||||||
tagList = [ "nix" "xeon" ];
|
|
||||||
registrationFlags = [
|
|
||||||
# Using space doesn't work, and causes it to misread the next flag
|
|
||||||
"--locked='false'"
|
|
||||||
];
|
|
||||||
environmentVariables = {
|
environmentVariables = {
|
||||||
SHELL = "${pkgs.bash}/bin/bash";
|
SHELL = "${pkgs.bash}/bin/bash";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
common-docker = {
|
common-docker = {
|
||||||
|
executor = "docker";
|
||||||
dockerImage = "debian:stable";
|
dockerImage = "debian:stable";
|
||||||
tagList = [ "docker" "xeon" ];
|
|
||||||
registrationFlags = [
|
registrationFlags = [
|
||||||
"--locked='false'"
|
|
||||||
"--docker-network-mode host"
|
"--docker-network-mode host"
|
||||||
];
|
];
|
||||||
environmentVariables = {
|
environmentVariables = {
|
||||||
@ -33,19 +26,12 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
# For gitlab.bsc.es
|
|
||||||
gitlab-bsc-es-shell = common-shell // {
|
|
||||||
registrationConfigFile = config.age.secrets.gitlabToken.path;
|
|
||||||
};
|
|
||||||
gitlab-bsc-es-docker = common-docker // {
|
|
||||||
registrationConfigFile = config.age.secrets.gitlabToken.path;
|
|
||||||
};
|
|
||||||
# For pm.bsc.es/gitlab
|
# For pm.bsc.es/gitlab
|
||||||
gitlab-pm-shell = common-shell // {
|
gitlab-pm-shell = common-shell // {
|
||||||
registrationConfigFile = config.age.secrets.ovniToken.path;
|
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path;
|
||||||
};
|
};
|
||||||
gitlab-pm-docker = common-docker // {
|
gitlab-pm-docker = common-docker // {
|
||||||
registrationConfigFile = config.age.secrets.ovniToken.path;
|
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ
|
|
||||||
8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ
|
|
||||||
-> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM
|
|
||||||
BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co
|
|
||||||
-> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0
|
|
||||||
kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0
|
|
||||||
-> )Q-grease vHF} [8p1> @7z;C"/
|
|
||||||
tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4
|
|
||||||
--- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI
|
|
||||||
á6nGJÖ0Bˆ’7F° –bßÙ½2®L³äÇ]²2zl<7A>À&e†KÄx®àé9SWNàV"MfŽ€ëÙKHUC:1b;9St‰ëõ±Duѧç‹Ï¢žÌŸ¡<02>èÐéîÀ–<C380>ÔfÕ7¨î1§I(õdÓþô‡ïó
|
|
9
secrets/gitlab-runner-docker-token.age
Normal file
9
secrets/gitlab-runner-docker-token.age
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ
|
||||||
|
jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY
|
||||||
|
-> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU
|
||||||
|
8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg
|
||||||
|
-> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA
|
||||||
|
SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8
|
||||||
|
--- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18
|
||||||
|
ä·ù¼Â‡%å]yi"ô<>»LÓâùH`ªa$Æþ)¦9ve<76>.0úmÉK<EFBFBD>vƒÀïu"|1cÞ-%ÔÕ"åWFï¡ÞA«<41>hº$•ºj<eñ¶xÅLx«ç.?œÈâ:L…¬–ƒ,ëu»|³‹F|Õi²äÔ
|
BIN
secrets/gitlab-runner-shell-token.age
Normal file
BIN
secrets/gitlab-runner-shell-token.age
Normal file
Binary file not shown.
@ -1,11 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
|
|
||||||
avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
|
|
||||||
-> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
|
|
||||||
FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
|
|
||||||
-> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
|
|
||||||
BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
|
|
||||||
-> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
|
|
||||||
oLG+0S1aGfO/ohCfgGmhDhwwLi4H
|
|
||||||
--- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
|
|
||||||
¹õW©o÷ ÙÄd;ËÐC¾.¹¡_(“u
G¡€‰#ìvâœgÉ<67>†õõy¹Y‰žl9ŒÈ¡Ïµ.Œé0x<30>Þ½úN. /ü<>tB×b‡ü¼K¼ì:Q×—È\¹ÀÍT_´»Átxïm’——_JñÞž-š
|
|
Binary file not shown.
@ -6,10 +6,9 @@ let
|
|||||||
safe = keys.hostGroup.safe ++ adminsKeys;
|
safe = keys.hostGroup.safe ++ adminsKeys;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"gitlab-bsc-es-token.age".publicKeys = hut;
|
|
||||||
"gitea-runner-token.age".publicKeys = hut;
|
"gitea-runner-token.age".publicKeys = hut;
|
||||||
"ovni-token.age".publicKeys = hut;
|
"gitlab-runner-docker-token.age".publicKeys = hut;
|
||||||
"nosv-token.age".publicKeys = hut;
|
"gitlab-runner-shell-token.age".publicKeys = hut;
|
||||||
"nix-serve.age".publicKeys = hut;
|
"nix-serve.age".publicKeys = hut;
|
||||||
"jungle-robot-password.age".publicKeys = hut;
|
"jungle-robot-password.age".publicKeys = hut;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user